Plugins are distributed without a license file
corneliusweig opened this issue · 15 comments
I realized that no plugin that I'm aware of actually installs a license file. That seems to violate the conditions of may licenses, for example the Apache license which states under 4.c)
You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
Most of the times, the original authors submit their plugins to the index. Even then, we are most likely violating the license conditions. So what should we do about it? Options:
- Require that plugin authors also copy over their license(s) in the
files
field of the manifest. This will require a lot of back and forth with plugin authors until all plugins are updated. - Add a new mandatory manifest field
license
which simply states what is the license of the plugin. This is simpler, but maybe not sufficient.
WDYT?
Excellent point, I think you're right we should fix this.
To be precise, this is a "distribution" problem and not a problem with "krew" itself, at best, it's a krew-index issue.
- Require that plugin authors also copy over their license(s) in the
files
field of the manifest. This will require a lot of back and forth with plugin authors until all plugins are updated.
Technically we could do this ourselves easily. It's not a bad idea.
Similarly we'd need to make it part of our review procedure for krew-index.
- Add a new mandatory manifest field
license
which simply states what is the license of the plugin. This is simpler, but maybe not sufficient.
I think a new license
field is not going to be the best idea. We actually need the full text. Also, some plugin in the future (such as "private plugins") won't need this field. Making it required will create friction.
I've been trying to recall what Homebrew does, because for many similar formulae (kubectx.rb, kubernetes-cli.rb, fzf.rb, ...) the file doesn't talk about the license.
I am suspecting Homebrew is copying certain files like LICENSE* COPYING* CHANGELOG* out of the repository root as an implicit step, but I cannot find docs on this behavior.
It indeed seems like Brew is automatically copying out these files:
https://rubydoc.brew.sh/Metafiles.html
I can't easily read ruby code, but my guess is it's only picking these from the repository root, but in our case there's no such concept.
For example, in tag tarballs provided by GitHub (imagine bash plugins), the root level dir is technically 1-level nested, like kubectx-v0.7.1/LICENSE
.
I agree that this is mainly a krew-index problem. But it might need support from krew
as well.
Technically we could do this ourselves easily. It's not a bad idea.
I'm not so sure about this. Doesn't this mean that we need to include the correct license file in every plugin bundle? Only repo owners have the right to do that though. And it will take a lot of back-and-forth until all plugins comply.
For that reason, I think a new license
field in the manifest may be the better option. How exactly this field looks like and how it should behave remains to be discussed.
Precisely, we need to get ahead of the growth here.
I feel like there will be some manual work involved. We should probably open a mega issue with all plugins and keep track of the fixes very soon.
For that reason, I think a new
license
field in the manifest may be the better option.
Yeah but LICENSE file is not really special. Similarly, they might have multiple licenses, dependency licenses, other files like {changelogs,authors}.txt that they might need to ship. I recommend we don't get into that business.
I'm currently -1 for introducing a new field, just for the license.
It's clear to me
(1) we need to work with repo authors, maybe even make PRs to them ourselves, and it'll be a team effort
(2) make this a requirement from now on (update docs, PR templates etc).
What I'm more unclear about is which one of these we should do:
- copy certain files (license, copying, ...) from the archive (root, or maybe 1-level deep) automatically out to installDir
- explicitly require every plugin to copy its LICENSE and similar files in
files:
.
Ok, I get your point.
In that case, it looks like we could save our plugin authors some manual hassle if we go with the automatic copying option. If I'm not missing out anything, then this is our roadmap:
- When installing new plugins, search for the license file by name and copy that out into
$KREW_HOME/store
. When no license can be found, the install should fail. - Make sure that a license file is included in all current plugins. This will be manual work and we should get involved with opening PRs in the original repos.
- Add a validation step for manifests, that the bundle contains a
license
orLICENSE
file (probably ignore case altogether). - Update the instructions for plugin submission. Also point out that it is the responsibility of plugin submitters to also include and copy out any other files like
changelog.txt
orauthors.txt
if this is necessary to comply with plugin licenses.
I'll create a google doc to organize our work around adding licenses to archive bundles. Please respond here if you want to get assigned a batch of plugins :)
I created a sheet to track the plugin license status: https://docs.google.com/spreadsheets/d/1Q3enNf61muuVQw6eWLsMTfZJ67tbEpedKAH94MjbBjI/edit?usp=sharing
If you think the above plan sounds good, I'll create a few issues tomorrow.
Oh, it's much better than I had anticipated. Exactly half of the plugins already contain a license file. There are LICENSE.md
, LICENSE
, and LICENSE.txt
.
I assume on that spreadsheet "included" means, it exists in the repo, right?
@ahmetb Yes, that's correct.
As discussed offline, we are going to handle this purely on krew-index side. This means that all plugins manifests must manually copy out their license file.
For those that already contain a license, we can do this without bothering the plugin authors. For all remaining ones, I opened an issue.
/priority important-soon
For the plugins that have a license in their archive but don't install the license, I opened the following PRs:
- Install license for
restart
(#339) - Install license for
who-can
(#338) - Install license for
config-cleanup
(#337) - Install license for
tail
(#336) - Install license for
cssh
(#335) - Install license for
konfig
(#334) - Install license for
view-secret
(#333) - Install license for
bulk-action
(#332) - Install license for
warp
(#331) - Install license for
iexec
(#330) - Install license for
gopass
(#329) - Install license for
sudo
(#328) - Install license for
outdated
(#327) - Install license for
preflight
(#326) - Install license for
support-bundle
(#325) - Install license for
sort-manifests
(#324) - Install license for
open-svc
(#323) - Install license for
view-serviceaccount-kubeconfig
(#322) - Install license for
prune-unused
(#321) - Install license for
exec-cronjob
(#320) - Install license for
custom-cols
(#319) - Install license for
ssh-jump
(#318)
Thanks @corneliusweig. I've bulk merged them by applying lgtm label.
For the remaining, feel free to add a - [ ] checklist
list to your original issue message (or open a new issue for tracking what's left)
Follow-up issue is #341